I have a Windows Server 2019 VM and am trying to collect some specific Windows Event Logs using Get-WmiObject
In order to read an Event Logs channel in Applications and Services, I created a registry key and configured it similar to how this post describes the process. This worked, but when server reboots, the registry key I created disappears. This happens on a brand new image, so I can't tell if there is something specific that is rewriting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\ on a reboot or something else. I haven't been able to locate any documentation which would give the answer. Is there something I can adjust or a standard pattern to recreate the keys on boot?
Thanks!
Edit: This is specifically for Windows Defender so the sub key that get's created is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Windows Defender/Operational
This works well, but when the machine reboots, it disappears. In order to use Get-WmiObject you must create this key to collect events. It isn't a customer event I am making, just using the OOB windows ones in the "Applications and Services" section.
